Shrink the pg_hba.conf and pg_ident.conf default files and move most of the

inline documentation to the main docs.
23 years ago · 49c86099f3
parent d73f8137d2
commit 49c86099f3
3 changed files with 306 additions and 434 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.37 2002/09/14 18:35:46 petere Exp $
 -->
 <chapter id="client-authentication">
@ -45,10 +45,10 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16
  database user names and OS user names.
 </para>
- <sect1 id="pg-hba-conf">
+ <sect1 id="auth-pg-hba-conf">
  <title>The <filename>pg_hba.conf</filename> file</title>
-  <indexterm zone="pg-hba-conf">
+  <indexterm zone="auth-pg-hba-conf">
   <primary>pg_hba.conf</primary>
  </indexterm>
@ -85,9 +85,9 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16
  <para>
   A record may have one of the three formats
   <synopsis>
-local   <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
+local   <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
-host    <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable>
+host    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
-hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable>
+hostssl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
    </synopsis>
   The meaning of the fields is as follows:
@ -96,8 +96,9 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
     <term><literal>local</literal></term>
     <listitem>
      <para>
-       This record applies to connection attempts using Unix domain
+       This record matches connection attempts using Unix domain
-       sockets.
+       sockets.  Without a record of this type, Unix-domain socket
       connections are disallowed
      </para>
     </listitem>
    </varlistentry>
@ -106,7 +107,7 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
     <term><literal>host</literal></term>
     <listitem>
      <para>
-       This record applied to connection attempts using TCP/IP networks.
+       This record matches connection attempts using TCP/IP networks.
       Note that TCP/IP connections are disabled unless the server is
       started with the <option>-i</option> option or the
       <literal>tcpip_socket</> <filename>postgresql.conf</>
@ -119,13 +120,18 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
     <term><literal>hostssl</literal></term>
     <listitem>
      <para>
-       This record applies to connection attempts using SSL over
+       This record matches connection attempts using SSL over TCP/IP.
-       TCP/IP. To make use of this option the server must be
+       <literal>host</literal> records will match either SSL or
-       built with SSL support enabled. Furthermore, SSL must be
+       non-SSL connection attempts, but <literal>hostssl</literal>
-       enabled with the <option>-l</> option or equivalent configuration
+       records require SSL connections.
-       setting when the server is started.  (Note: <literal>host</literal>
+      </para>
-       records will match either SSL or non-SSL connection attempts, but
+
-       <literal>hostssl</literal> records require SSL connections.)
+      <para>
       To be able make use of this option the server must be built
       with SSL support enabled. Furthermore, SSL must be enabled by
       enabling the option <literal>ssl</literal> in
       <filename>postgresql.conf</filename> (see <xref
       linkend="runtime-config">).
      </para>
     </listitem>
    </varlistentry>
@ -134,18 +140,18 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
     <term><replaceable>database</replaceable></term>
     <listitem>
      <para>
-       Specifies the database for this record. The value
+       Specifies which databases this record matches.  The value
-       <literal>all</literal> specifies that it applies to all
+       <literal>all</literal> specifies that it matches all databases.
-       databases, while the value <literal>sameuser</> identifies the
+       The value <literal>sameuser</> specifies that the record
-       database with the same name as the connecting user. The value
+       matches if the requested database has the same name as the
-       <literal>samegroup</> identifies a group with the same name as
+       requested user.  The value <literal>samegroup</> specifies that
-       the database name. Only members of this group can connect to the
+       the requested user must a member of the group with the same
-       database. Otherwise, this is the name of a specific
+       name as the requested database.  Otherwise, this is the name of
-       <productname>PostgreSQL</productname> database. Multiple database
+       a specific <productname>PostgreSQL</productname> database.
-       names can be supplied by separating them with commas. A file
+       Multiple database names can be supplied by separating them with
-       containing database names can be specified by preceding the file
+       commas.  A file containing database names can be specified by
-       name with <literal>@</>. The file must be in the same directory
+       preceding the file name with <literal>@</>. The file must be in
-       as <filename>pg_hba.conf</>.
+       the same directory as <filename>pg_hba.conf</>.
      </para>
     </listitem>
    </varlistentry>
@ -154,41 +160,48 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
     <term><replaceable>user</replaceable></term>
     <listitem>
      <para>
-       Specifies the user for this record. The value
+       Specifies which PostgreSQL users this record matches. The value
-       <literal>all</literal> specifies that it applies to all users.
+       <literal>all</literal> specifies that it matches all users.
       Otherwise, this is the name of a specific
       <productname>PostgreSQL</productname> user. Multiple user names
       can be supplied by separating them with commas. Group names can
       be specified by preceding the group name with <literal>+</>. A
-       file containing user names can be specified by preceding the file
+       file containing user names can be specified by preceding the
-       name with <literal>@</>. The file must be in the same directory
+       file name with <literal>@</>. The file must be in the same
-       as <filename>pg_hba.conf</>.
+       directory as <filename>pg_hba.conf</>.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
-     <term><replaceable>IP address</replaceable></term>
+     <term><replaceable>IP-address</replaceable></term>
-     <term><replaceable>IP mask</replaceable></term>
+     <term><replaceable>IP-mask</replaceable></term>
     <listitem>
      <para>
-       These two fields specify the client machine IP addresses
+       These two fields contain IP address/mask values in standard
-       (<literal>host</literal> or <literal>hostssl</literal>) for this
+       dotted decimal notation. (IP addresses can only be specified
-       record. (Of course IP addresses can be spoofed but this
+       numerically, not as domain or host names.)  Taken together they
-       consideration is beyond the scope of
+       specify the client machine IP addresses that this record
-       <productname>PostgreSQL</productname>.) The precise logic is that
+       matches.  The precise logic is that
       <blockquote>
        <informalfigure>
         <programlisting>(<replaceable>actual-IP-address</replaceable> xor <replaceable>IP-address-field</replaceable>) and <replaceable>IP-mask-field</replaceable></programlisting>
        </informalfigure>
       </blockquote>
-       must be zero for the record to match.
+       must be zero for the record to match.  (Of course IP addresses
       can be spoofed but this consideration is beyond the scope of
       <productname>PostgreSQL</productname>.)
      </para>
      <para>
       These fields only apply to <literal>host</literal> and
       <literal>hostssl</literal> records.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
-     <term><replaceable>authentication method</replaceable></term>
+     <term><replaceable>authentication-method</replaceable></term>
     <listitem>
      <para>
       Specifies the authentication method to use when connecting via
@ -204,7 +217,8 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
          allows anyone that can connect to the
          <productname>PostgreSQL</productname> database to login as
          any <productname>PostgreSQL</productname> user they like,
-          without the need for a password.
+          without the need for a password.  See <xref
          linkend="auth-trust"> for details.
         </para>
        </listitem>
       </varlistentry>
@ -226,6 +240,7 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
          Requires the client to supply an MD5 encrypted password for
          authentication. This is the only method that allows encrypted
          passwords to be stored in <structname>pg_shadow</structname>.
          See <xref linkend="auth-password"> for details.
         </para>
        </listitem>
       </varlistentry>
@ -237,6 +252,7 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
          Like <literal>md5</literal> method but uses older crypt
          encryption, which is needed for pre-7.2 clients.
          <literal>md5</literal> is preferred for 7.2 and later clients.
          See <xref linkend="auth-password"> for details.
         </para>
        </listitem>
       </varlistentry>
@ -247,6 +263,7 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
         <para>
          Same as "md5", but the password is sent in cleartext over the
          network. This should not be used on untrusted networks.
          See <xref linkend="auth-password"> for details.
         </para>
        </listitem>
       </varlistentry>
@ -256,7 +273,8 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
        <listitem>
         <para>
          Kerberos V4 is used to authenticate the user. This is only
-          available for TCP/IP connections.
+          available for TCP/IP connections.  See <xref
          linkend="kerberos-auth"> for details.
         </para>
        </listitem>
       </varlistentry>
@ -266,7 +284,8 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
        <listitem>
         <para>
          Kerberos V5 is used to authenticate the user. This is only
-          available for TCP/IP connections.
+          available for TCP/IP connections.  See <xref
          linkend="kerberos-auth"> for details.
         </para>
        </listitem>
       </varlistentry>
@ -275,38 +294,32 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
        <term><literal>ident</></term>
        <listitem>
         <para>
-          For TCP/IP connections, authentication is done by contacting
+          Obtain the operating system user name of the client (for
-          the <firstterm>ident</firstterm> server on the client
+          TCP/IP connections by contacting the ident server on the
-          host. This is only as secure as the client machine. You must
+          client, for local connections by getting it from the
-          specify the map name after the 'ident' keyword. It
+          operating system) and check if the user is allowed to
-          determines how to map remote user names to
+          connect as the requested database user by consulting the map
-          <productname>PostgreSQL</productname> user names. If you use
+          specified after the <literal>ident</literal> key word.
-          "sameuser", the user names are assumed to be identical. If
+         </para>
-          not, the map name is looked up in the $PGDATA/pg_ident.conf
+
         <para>
          If you use the map <literal>sameuser</literal>, the user
          names are assumed to be identical. If not, the map name is
          looked up in the <literal>$PGDATA/pg_ident.conf</literal>
          file. The connection is accepted if that file contains an
          entry for this map name with the ident-supplied user name
          and the requested <productname>PostgreSQL</productname> user
          name.
         </para>
         <para>
-          On machines that support unix-domain socket credentials
+          For local connections, this only works on machines that
-          (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows
+          support Unix-domain socket credentials (currently Linux,
-          reliable authentication of 'local' connections without ident
+          FreeBSD, NetBSD, and BSD/OS).
          running on the local machine.
         </para>
         <para>
 	  On systems without <symbol>SO_PEERCRED</> requests, ident
 	  authentication is only available for TCP/IP connections. As a
 	  work around, it is possible to specify the <systemitem
 	  class="systemname">localhost</> address <systemitem
 	  class="systemname">127.0.0.1</> and make connections to this
 	  address.
         </para>
         <para>
-          Following the <literal>ident</> keyword, an <firstterm>ident
+          See <xref linkend="auth-ident"> below for details.
          map</firstterm> name should be supplied which specifies which
          operating system users equate with which database users. See
          below for details.
         </para>
        </listitem>
       </varlistentry>
@ -315,27 +328,27 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
        <term><literal>pam</></term>
        <listitem>
         <para>
-          This authentication type operates similarly to
+          Authenticate using the Pluggable Authentication Modules
-          <firstterm>password</firstterm> except that it uses PAM
+          (PAM) service provided by the operating system.  See <xref
-          (Pluggable Authentication Modules) as the authentication
+          linkend="auth-pam"> for details.
          mechanism. The default PAM service name is
          <literal>postgresql</literal>. You can optionally supply you
          own service name after the <literal>pam</> keyword in the
          file. For more information about PAM, please read the <ulink
          url="http://www.kernel.org/pub/linux/libs/pam/"><productname>Linux-PAM</>
          Page</ulink> and the <ulink
          url="http://www.sun.com/software/solaris/pam/"><systemitem
          class="osname">Solaris</> PAM Page</ulink>.
         </para>
        </listitem>
       </varlistentry>
      </variablelist>
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><replaceable>authentication-option</replaceable></term>
     <listitem>
      <para>
       The meaning of this optional field depends on the chosen
       authentication method and is described in the next section.
      </para>
     </listitem>
    </varlistentry>
   </variablelist>
  </para>
@ -353,6 +366,13 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
   range of allowed client IP addresses.
  </para>
  <important>
   <para>
    Do not prevent the superuser from accessing the template1
    database.  Various utility commands need access to template1.
   </para>
  </important>
  <para>
    <indexterm>
     <primary>SIGHUP</primary>
@ -373,55 +393,67 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <rep
   <example id="example-pg-hba.conf">
    <title>An example <filename>pg_hba.conf</filename> file</title>
 <programlisting>
-# TYPE       DATABASE    USER       IP_ADDRESS    MASK               AUTHTYPE
+# Allow any user on the local system to connect to any database under
-
+# any user name using Unix-domain sockets (the default for local
-# Allow any user on the local system to connect to any
+# connections).
-# database under any user name, but only via an IP connection:
+#
-
+# TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 host         all         all        127.0.0.1     255.255.255.255    trust     
 # The same, over Unix-socket connections:
 local   all         all                                             trust
-# Allow any user from any host with IP address 192.168.93.x to
+# The same using local loopback TCP/IP connections.
-# connect to database "template1" as the same user name that ident on that
+#
-# host identifies him as (typically his Unix user name):
+# TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 host    all         all         127.0.0.1         255.255.255.255   trust     
 # Allow any user from any host with IP address 192.168.93.x to connect
 # to database "template1" as the same user name that ident reports for
 # the connection (typically the Unix user name).
 # 
 # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 host    template1   all         192.168.93.0      255.255.255.0     ident sameuser
-# Allow a user from host 192.168.12.10 to connect to database "template1"
+# Allow a user from host 192.168.12.10 to connect to database
-# if the user's password is correctly supplied:
+# "template1" if the user's password is correctly supplied.
-
+# 
 # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 host    template1   all         192.168.12.10     255.255.255.255   md5
-# In the absence of preceding "host" lines, these two lines will reject
+# In the absence of preceding "host" lines, these two lines will
-# all connection attempts from 192.168.54.1 (since that entry will be
+# reject all connection from 192.168.54.1 (since that entry will be
-# matched first), but allow Kerberos V5-validated connections from anywhere
+# matched first), but allow Kerberos V connections from anywhere else
-# else on the Internet. The zero mask means that no bits of the host IP
+# on the Internet.  The zero mask means that no bits of the host IP
-# address are considered, so it matches any host:
+# address are considered so it matches any host.
-
+# 
 # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 host    all         all         192.168.54.1      255.255.255.255   reject
 host    all         all         0.0.0.0           0.0.0.0           krb5
-# Allow users from 192.168.x.x hosts to connect to any database, if they
+# Allow users from 192.168.x.x hosts to connect to any database, if
-# pass the ident check.  If, for example, ident says the user is "bryanh"
+# they pass the ident check.  If, for example, ident says the user is
-# and he requests to connect as <productname>PostgreSQL</> user "guest1", the connection
+# "bryanh" and he requests to connect as PostgreSQL user "guest1", the
-# is allowed if there is an entry in pg_ident.conf for map "omicron" that
+# connection is allowed if there is an entry in pg_ident.conf for map
-# says "bryanh" is allowed to connect as "guest1":
+# "omicron" that says "bryanh" is allowed to connect as "guest1".
-
+#
 # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 host    all         all         192.168.0.0       255.255.0.0       ident omicron
-# If these are the only two lines for local connections, they will allow
+# If these are the only three lines for local connections, they will
-# local users to connect only to their own databases (database named the
+# allow local users to connect only to their own databases (databases
-# same as the user name), except for administrators who may connect to
+# with the same name as their user name) except for administrators and
-# all databases.  The file $PGDATA/admins lists the user names who are
+# members of group "support" who may connect to all databases.  The file
-# permitted to connect to all databases.  Passwords are required in all
+# $PGDATA/admins contains a list of user names.  Passwords are required in
-# cases.  (If you prefer to use ident authorization, an ident map can
+# all cases.
-# serve a parallel purpose to the password list file used here.)
+#
-
+# TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 local   sameuser    all                                             md5
 local   all         @admins                                         md5
 local   all         +support                                        md5
 # The last two lines above can be combined into a single line:
 local   all         @admins,+support                                md5
 # The database column can also use lists and file names, but not groups:
 local   db1,db2,@demodbs  all                                       md5
 </programlisting>
   </example>
  </para>
@ -542,10 +574,10 @@ local        all        @admins                                        md5
    <productname>Kerberos</productname> system is far beyond the scope
    of this document; in all generality it can be quite complex (yet
    powerful). The <ulink
-    url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerb
+    url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos
-    eros <acronym>FAQ</></ulink> or <ulink
+    <acronym>FAQ</></ulink> or <ulink
-    url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink> can be a
+    url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink> can be
-    good starting point for exploration. Several sources for
+    a good starting point for exploration. Several sources for
    <productname>Kerberos</> distributions exist.
   </para>
@ -620,13 +652,25 @@ local        all        @admins                                        md5
  </sect2>
-  <sect2>
+  <sect2 id="auth-ident">
   <title>Ident-based authentication</title>
   <indexterm>
    <primary>ident</primary>
   </indexterm>
   <para>
    The ident authentication method works by inspecting the client's
    operating system user name and determining the allowed database
    user names by using a map file that lists the permitted
    corresponding user name pairs.  The determination of the client's
    user name is the security-critical point, and it works differently
    depending on the connection type.
   </para>
   <sect3>
    <title>Ident Authentication over TCP/IP</title>
   <para>
    The <quote>Identification Protocol</quote> is described in
    <citetitle>RFC 1413</citetitle>. Virtually every Unix-like
@ -660,15 +704,35 @@ local        all        @admins                                        md5
     </para>
    </blockquote>
   </para>
   </sect3>
   <sect3>
    <title>Ident Authentication over Local Sockets</title>
   <para>
    On systems supporting <symbol>SO_PEERCRED</symbol> requests for
-    Unix-domain sockets, ident authentication can also be applied to
+    Unix-domain sockets (currently <systemitem
-    local connections. In this case, no security risk is added by using
+    class="osname">Linux</>, <systemitem class="osname">FreeBSD</>,
-    ident authentication; indeed it is a preferable choice for local
+    <systemitem class="osname">NetBSD</>, and <systemitem
-    connections on such systems.
+    class="osname">BSD/OS</>, ident authentication can also be applied
    to local connections. In this case, no security risk is added by
    using ident authentication; indeed it is a preferable choice for
    local connections on such systems.
   </para>
    <para>
     On systems without <symbol>SO_PEERCRED</> requests, ident
     authentication is only available for TCP/IP connections. As a
     work around, it is possible to specify the <systemitem
     class="systemname">localhost</> address <systemitem
     class="systemname">127.0.0.1</> and make connections to this
     address.
    </para>
    </sect3>
   <sect3>
    <title>Ident Maps</title>
   <para>
    When using ident-based authentication, after having determined the
    name of the operating system user that initiated the connection,
@ -731,7 +795,7 @@ local        all        @admins                                        md5
   <example id="example-pg-ident.conf">
    <title>An example <filename>pg_ident.conf</> file</title>
 <programlisting>
-#MAP           IDENT-NAME   POSTGRESQL-NAME
+# MAPNAME     IDENT-USERNAME    PG-USERNAME
 omicron       bryanh            bryanh
 omicron       ann               ann
@ -741,6 +805,25 @@ omicron        robert       bob
 omicron       bryanh            guest1
 </programlisting>
   </example>
   </sect3>
  </sect2>
  <sect2 id="auth-pam">
   <title>PAM Authentication</title>
   <para>
    This authentication type operates similarly to
    <firstterm>password</firstterm> except that it uses PAM (Pluggable
    Authentication Modules) as the authentication mechanism. The
    default PAM service name is <literal>postgresql</literal>. You can
    optionally supply you own service name after the <literal>pam</>
    keyword in the file. For more information about PAM, please read
    the <ulink
    url="http://www.kernel.org/pub/linux/libs/pam/"><productname>Linux-PAM</>
    Page</ulink> and the <ulink
    url="http://www.sun.com/software/solaris/pam/"><systemitem
    class="osname">Solaris</> PAM Page</ulink>.
   </para>
  </sect2>
 </sect1>
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@ -1,259 +1,48 @@
-# 
+# PostgreSQL Client Authentication Configuration File
-#		  PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
+# ===================================================
-# 
+#
-# 
+# Refer to the PostgreSQL Administrator's Guide, chapter "Client
-# This file controls:
+# Authentication" for a complete description.  A short synopsis
-# 	o which hosts are allowed to connect
+# follows.
-# 	o how users are authenticated on each host
+#
-# 	o databases accessible by each host
+# This file controls: which hosts are allowed to connect, how clients
-# 
+# are authenticated, which PostgreSQL user names they can use, which
-# It is read on postmaster startup and when the postmaster receives a SIGHUP.
+# databases they can access.  Records take one of three forms:
-# If you edit the file on a running system, you have to SIGHUP the postmaster
+#
-# for the changes to take effect, or use "pg_ctl reload".
+# local    DATABASE  USER  METHOD  [OPTION]
-# 
+# host     DATABASE  USER  IP-ADDRESS  IP-MASK  METHOD  [OPTION]
-# Each line is a new record. Records cannot span multiple lines. 
+# hostssl  DATABASE  USER  IP-ADDRESS  IP-MASK  METHOD  [OPTION]
-# Comments begin with # and continue to the end of the line. 
+#
-# Blank lines are ignored. A record consists of tokens separated by 
+# (The uppercase quantities should be replaced by actual values.)
-# spaces or tabs.
+# DATABASE can be "all", "sameuser", "samegroup", a database name (or
-# 
+# a comma-separated list thereof), or a file name prefixed with "@".
-# Each record specifies a connection type and authentication method. Most
+# USER can be "all", an actual user name or a group name prefixed with
-# records also can restrict based on database name or IP address. 
+# "+" or a list containing either.  IP-ADDRESS and IP-MASK specify the
-#
+# set of hosts the record matches.  METHOD can be "trust", "reject",
-# When reading this file, the postmaster finds the first record that
+# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam".  Note
-# matches the connection type, client address, and database name, and uses
+# that "password" uses clear-text passwords; "md5" is preferred for
-# that record to perform client authentication. If no record matches, the
+# encrypted passwords.  OPTION is the ident map or the name of the PAM
-# connection is rejected.
+# service.
-#
+#
-# The first token of a record indicates the connection type. The
+# This file is read on server startup and when the postmaster receives
-# remainder of the record is interpreted based on that type.
+# a SIGHUP signal.  If you edit the file on a running system, you have
-# 
+# to SIGHUP the postmaster for the changes to take effect, or use
-# Record Types
+# "pg_ctl reload".
-# ============
+
 # 
 # There are three record types:
 # 	o host
 # 	o hostssl
 # 	o local
 # 
 # host
 # ----
 # 
 # This record identifies hosts that are permitted to connect via TCP/IP.
 # 
 # Format:
 # 
 #   host       DATABASE    USER      IP_ADDRESS    MASK               AUTH_TYPE
 # 
 # DATABASE can be:
 #	o a database name
 #	o "sameuser", which means a user can only access a database with the
 #	  same name as their user name
 #	o "samegroup", which means a user can only access databases when they
 #	  are members of a group with the same name as the database name
 #	o "all", which matches all databases
 #	o a list of database names, separated by commas
 #	o a file name containing database names, starting with '@'
 #
 # USER can be:
 #	o a user name
 #	o "all", which matches all users
 #	o a list of user names, separated by commas
 #	o a group name, starting with '+'
 #	o a file name containing user names, starting with '@'
 #
 # Files read using '@' can contain comma-separated database/user names,
 # or one name per line.  The files can also contain comments using '#'.
 #
 # IP_ADDRESS and MASK are standard dotted decimal IP address and
 # mask values. IP addresses can only be specified numerically, not as
 # domain or host names.
 # 
 # Do not prevent the superuser from accessing the template1 database.
 # Various utility commands need access to template1.
 # 
 # AUTH_TYPE is described below.
 #
 # 
 # hostssl
 # -------
 # 
 # The format of this record is identical to "host".
 # 
 # It specifies hosts that require connection via secure SSL. "host"
 # allows SSL connections too, but "hostssl" requires SSL-secured
 # connections.
 # 
 # This keyword is only available if the server was compiled with SSL
 # support.
 # 
 # 
 # local
 # -----
 # 
 # This record identifies the authentication for local UNIX domain socket
 # connections. Without this record, UNIX-socket connections are disallowed
 # 
 # Format:
 #   local      DATABASE    USER      AUTH_TYPE
 # 
 # This format is identical to the "host" record type except there are no
 # IP_ADDRESS and MASK fields.
 #
 # 
 # 
 # Authentication Types (AUTH_TYPE)
 # ================================
 # 
 # AUTH_TYPE indicates the method used to authenticate users. Each record
 # has an AUTH_TYPE.
 #
 #   trust: 
 #		No authentication is done. Any valid user name is accepted,
 # 		including the PostgreSQL superuser. This option should
 # 		be used only for hosts where all users are trusted.
 # 
 #   md5:
 #	  	Requires the client to supply an MD5 encrypted password for
 #		authentication.  This is the only method that allows encrypted
 #		passwords to be stored in pg_shadow.
 # 
 #   crypt:
 #	  	Same as "md5", but uses crypt for pre-7.2 clients.
 #
 #   password:
 #		Same as "md5", but the password is sent in cleartext over
 #		the network.  This should not be used on untrusted
 #		networks.
 # 
 #   ident:
 #		For TCP/IP connections, authentication is done by contacting the
 #		ident server on the client host. This is only as secure as the
 #		client machine. You must specify the map name after the 'ident'
 #		keyword. It determines how to map remote user names to
 #		PostgreSQL user names. If you use "sameuser", the user names are
 #		assumed to be identical. If not, the map name is looked up
 #		in the $PGDATA/pg_ident.conf file. The connection is accepted if
 #		that file contains an entry for this map name with the
 #		ident-supplied username and the requested PostgreSQL username.
 #
 #		On machines that support unix-domain socket credentials
 #		(currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows
 #		reliable authentication of 'local' connections without ident 
 #		running on the local machine.
 #
 #   krb4:
 #		Kerberos V4 authentication is used.  Allowed only for
 #		TCP/IP connections, not for local UNIX-domain sockets.
 # 
 #   krb5:
 #		Kerberos V5 authentication is used.  Allowed only for
 #		TCP/IP connections, not for local UNIX-domain sockets.
 # 
 #   pam:
 #		Authentication is done by PAM using the default service name
 #		"postgresql". You can specify your own service name by adding
 #		the service name after the 'pam' keyword. To use this option,
 #		PostgreSQL must be configured --with-pam.
 #
 #   reject:
 #	 	Reject the connection. This is used to reject certain hosts
 #		that are part of a network specified later in the file.
 #		To be effective, "reject" must appear before the later
 #		entries.
 #
 # 
 # 
 # Examples
 # ========
 # 
 # 
 # Allow any user on the local system to connect to any database under any
 # username using Unix-domain sockets (the default for local connections):
 #
 # TYPE       DATABASE    USER       IP_ADDRESS    MASK               AUTH_TYPE
 # local      all         all                                         trust
 # 
 # The same using local loopback TCP/IP connections:
 #
 # TYPE      DATABASE     USER    IP_ADDRESS    MASK               AUTH_TYPE
 # host      all          all     127.0.0.1     255.255.255.255    trust     
 # 
 # Allow any user from any host with IP address 192.168.93.x to
 # connect to database "template1" as the same username that ident reports
 # for the connection (typically his Unix username):
 # 
 # TYPE       DATABASE    USER    IP_ADDRESS    MASK               AUTH_TYPE
 # host       template1   all     192.168.93.0  255.255.255.0      ident sameuser
 # 
 # Allow a user from host 192.168.12.10 to connect to database "template1"
 # if the user's password is correctly supplied:
 # 
 # TYPE       DATABASE    USER     IP_ADDRESS    MASK               AUTH_TYPE
 # host       template1   all      192.168.12.10 255.255.255.255    md5
 # 
 # In the absence of preceding "host" lines, these two lines will reject
 # all connection from 192.168.54.1 (since that entry will be matched
 # first), but allow Kerberos V5 connections from anywhere else on the
 # Internet. The zero mask means that no bits of the host IP address are
 # considered so it matches any host:
 # 
 # 
 # TYPE       DATABASE    USER     IP_ADDRESS    MASK               AUTH_TYPE
 # host       all         all      192.168.54.1  255.255.255.255    reject
 # host       all         all      0.0.0.0       0.0.0.0            krb5
 # 
 # Allow users from 192.168.x.x hosts to connect to any database if they
 # pass the ident check. For example, if ident says the user is "james" and
 # he requests to connect as PostgreSQL user "guest", the connection is
 # allowed if there is an entry in $PGDATA/pg_ident.conf with map name 
 # "phoenix" that says "james" is allowed to connect as "guest":
 # See $PGDATA/pg_ident.conf for more information on Ident maps.
 # 
 # TYPE       DATABASE    USER     IP_ADDRESS    MASK               AUTH_TYPE
 # host       all         all      192.168.0.0    255.255.0.0       ident phoenix
 #
 # If these are the only three lines for local connections, they will
 # allow local users to connect only to their own databases (databases
 # with the same name as their user name) except for administrators and
 # members of group 'support' who may connect to all databases . The file
 # $PGDATA/admins contains a list of user names. Passwords are required in
 # all cases.
 #
 # TYPE       DATABASE    USER      IP_ADDRESS    MASK               AUTH_TYPE
 # local      sameuser    all                                        md5
 # local      all         @admins                                    md5
 # local      all         +support                                   md5
 #
 # The last two lines above can be combined into a single line:
 #
 # local      all         @admins,+support                           md5
 #
 # The database column can also use lists and file names, but not groups:
 #
 # local      db1,db2,@demodbs  all                                  md5
 #
 #
 # 
 #
 #
 # 
 # Put your actual configuration here
-# ==================================
+# ----------------------------------
 # 
 # The default configuration allows any local user to connect using any
 # PostgreSQL username, including the superuser, over either UNIX domain
 # sockets or TCP/IP.
 #
-# If you want to allow non-local connections, you need to add more "host"
+# CAUTION: The default configuration allows any local user to connect
-# records. Also, remember TCP/IP connections are only enabled if you
+# using any PostgreSQL user name, including the superuser, over either
-# start the postmaster with the -i flag, or enable "tcpip_socket" in
+# Unix-domain sockets or TCP/IP.  If you are on a multiple-user
-# $PGDATA/postgresql.conf.
+# machine, the default configuration is probably too liberal for you.
 # Change it to use something other than "trust" authentication.
 #
-# CAUTION: if you are on a multiple-user machine, the default
+# If you want to allow non-local connections, you need to add more
-# configuration is probably too liberal for you. Change it to use
+# "host" records.  Also, remember TCP/IP connections are only enabled
-# something other than "trust" authentication.
+# if you enable "tcpip_socket" in postgresql.conf.
-# 
+
-# TYPE       DATABASE      USER      IP_ADDRESS    MASK               AUTH_TYPE
+# TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
 local   all         all                                             trust
 host    all         all         127.0.0.1         255.255.255.255   trust
--- a/src/backend/libpq/pg_ident.conf.sample
+++ b/src/backend/libpq/pg_ident.conf.sample
@ -1,35 +1,35 @@
-# 
+# PostgreSQL Ident Authentication Maps
-# 		PostgreSQL IDENT-BASED AUTHENTICATION MAPS
+# ====================================
-# 
+#
-# This file controls PostgreSQL ident-based authentication. It maps ident
+# Refer to the PostgreSQL Administrator's Guide, chapter "Client
-# usernames (typically Unix usernames) to their corresponding PostgreSQL
+# Authentication" for a complete description.  A short synopsis
-# usernames. Entries are grouped by map name. Each record consists of
+# follows.
-# three fields:
+#
-# 
+# This file controls PostgreSQL ident-based authentication. It maps
-# 	o map name
+# ident user names (typically Unix user names) to their corresponding
-# 	o ident username
+# PostgreSQL user names.  Records are of the form:
-# 	o PostgreSQL username
+#
-# 
+# MAPNAME  IDENT-USERNAME  PG-USERNAME
-# It is read on postmaster startup and when the postmaster receives a SIGHUP.
+#
-# If you edit the file on a running system, you have to SIGHUP the postmaster
+# (The uppercase quantities should be replaced by actual values.)
-# for the changes to take effect.
+# MAPNAME is the (otherwise freely chosen) map name that was used in
-#
+# pg_hba.conf.  IDENT-USERNAME is the detected user name of the
-# For example, the following entry equates user "james" on a remote system
+# client.  PG-USERNAME is the request PostgreSQL user name.  The
-# to PostgreSQL user "guest" in the map named "phoenix":
+# existence of a record specifies that IDENT-USERNAME may connect as
-# 
+# PG-USERNAME.  Multiple maps may be specified in this file and used
-# MAP       IDENT    PGUSERNAME
+# by pg_hba.conf.
-# phoenix   james    guest
+#
-# 
+# This file is read on server startup and when the postmaster receives
-# "phoenix" can now be used by an "ident" record in $DATA/pg_hba.conf.
+# a SIGHUP signal.  If you edit the file on a running system, you have
-# 
+# to SIGHUP the postmaster for the changes to take effect, or use
-# Multiple maps may be specified in this file and used by pg_hba.conf.
+# "pg_ctl reload".
-# 
+
-# Note that it is possible for a remote user to map to multiple PostgreSQL
+# Put your actual configuration here
-# usernames. The PostgreSQL username specified at connection time controls
+# ----------------------------------
-# which one is used.
+#
-# 
+# No map names are defined in the default configuration.  If all ident
-# If all ident usernames and PostgreSQL usernames are the same, you don't
+# user names and PostgreSQL user names are the same, you don't need
-# need this file. Instead, use the special map name "sameuser" in
+# this file.  Instead, use the special map name "sameuser" in
 # pg_hba.conf.
-# 
+
-# MAP     IDENT    PGUSERNAME
+# MAPNAME     IDENT-USERNAME    PG-USERNAME